Hivemind turns agent traces into skills and shares with your team

Summary

Inserts a single 🐝 consent prompt between hivemind install and the device-flow browser open. Adds an API-key paste fallback when the user declines or the device flow fails to complete, and a non-interactive token path (--token / DEEPLAKE_API_TOKEN / HIVEMIND_TOKEN) for CI / scripted installs. Failed/declined sign-in no longer aborts install — hooks always land; auth becomes a separable concern.

Addresses the ~85% drop-off between hivemind install and completed sign-in (~30 → ~5).

Flow

Three paths, dispatched by runAuthGate() in src/cli/index.ts:

| Context | Token source | Outcome |
|---|---|---|
| TTY, no token | — | Show 🐝 banner → Yes runs device flow; No (or failed device flow) → API-key paste fallback. Empty paste = continue, skip sign-in. |
| TTY, --token / env token | flag/env | Validate via /me, save creds, skip consent (token = consent) |
| Non-TTY, token present | flag/env | Same as above, no prompt |
| Non-TTY, no token | — | Print "No TTY" + URL + retry command (DEEPLAKE_API_TOKEN=<key> hivemind install), continue install |
| Any context, --skip-auth | — | Bypass everything (unchanged) |

Banner copy

🐝 One more step to unlock Hivemind

To enable shared memory and auto-learning across your agents,
we need to sign you in. Your traces will be securely stored in
your private Hivemind, so all your agents can recall them.

You can later connect your own cloud storage like S3/GCS/Azure Blob.

Sign in now? [Y/n]

If N (or Y but device flow doesn't complete):

Alternatively, sign in at https://app.deeplake.ai/api-keys, create
an API key, and paste it here. Press Enter to skip and continue
installing without sign-in (you can run `hivemind login` later).

API key:

Autoupdate insulation (verified, no code change)

Autoupdate is triple-guarded against this new prompt:

1. Only fires when creds?.token exists (src/hooks/shared/autoupdate.ts:128-129)
2. Spawns hivemind install with --skip-auth (src/cli/update.ts:207)
3. Uses detached: true, stdio: "ignore" so child stdin is closed regardless

tests/cli/update-skip-auth-guard.test.ts source-greps + bundle-greps the --skip-auth arg so a future refactor can't silently route autoupdate through consent.

Structural changes

• saveCredentialsFromToken(token, apiUrl, { skipTokenMint }) extracted in src/commands/auth.ts — single credentials-writer shared by device flow and env-var/flag path.
• confirm() and new promptLine() lifted into src/cli/util.ts — reused by sessions prune and the new paste fallback.
• New loginWithProvidedToken() in src/cli/auth.ts.
• New parseToken() flag parser + runAuthGate() dispatcher in src/cli/index.ts.

Telemetry

Intentionally not in this PR. The existing signup_intent (deeplake-api PR #222, already merged) + signup_completed already measure the install→signup funnel. Granular consent-step events (declined / token-paste / device-flow outcome attribution) will land in a follow-up PR pair: (a) deeplake-api adds a value property to signup_intent plus a token-paste firing point on /me, (b) hivemind sends a X-Hivemind-Signin-Method header on the relevant calls.

Test plan

• [x] 16 unit cases in tests/cli/install-consent.test.ts covering TTY accept/decline + paste fallback (empty + valid), accept + device-flow-fail + recovery paste, all non-TTY combinations, --skip-auth, already-logged-in
• [x] 5 cases for confirm() in tests/cli/cli-util.test.ts
• [x] 7 cases for loginWithProvidedToken() in tests/cli/cli-auth.test.ts
• [x] 3 bundle smoke cases in tests/cli/install-consent-bundle.test.ts — drives bundle/cli.js with closed stdin against a mock /me, asserts no readline hang
• [x] 2 regression cases in tests/cli/update-skip-auth-guard.test.ts — source AND bundle level --skip-auth literal preserved
• [x] Existing tests/cli/cli-index.test.ts updated for the new contract; restores process.stdin.isTTY in teardown (CodeRabbit out-of-diff fix)
• [x] Full per-file coverage thresholds met for src/cli/util.ts and src/cli/auth.ts (80%)
• [x] Manual: TTY decline (pty), TTY accept (real prod browser sign-in), TTY + invalid token against mock 401, non-TTY + valid token against mock /me + /organizations, --skip-auth, already-logged-in — all green against the real built bundle

Out of scope

• Telemetry events for consent_shown / accepted / declined / token_paste (follow-up PR pair).
• Re-prompting consent at session-start if user said no.
• A "remind me later" third option.

Confidence: 90%. Untested: real production /me + /organizations with a real beta token end-to-end (verified against mocked endpoints; shape was confirmed against deeplake-api source).